GamingServer

Target IP: 10.10.199.21


Scanning

ec368e5e9a2a844d4304bd15bd6ce299.png
There are two TCP ports open on the target machine: SSH and HTTP.

22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 340efe0612673ea4ebab7ac4816dfea9 (RSA)
|   256 49611ef4526e7b2998db302d16edf48b (ECDSA)
|_  256 b860c45bb7b2d023a0c756595c631ec4 (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-title: House of danak
|_http-server-header: Apache/2.4.29 (Ubuntu)
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 340efe0612673ea4ebab7ac4816dfea9 (RSA)
|   256 49611ef4526e7b2998db302d16edf48b (ECDSA)
|_  256 b860c45bb7b2d023a0c756595c631ec4 (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-title: House of danak
|_http-server-header: Apache/2.4.29 (Ubuntu)

Enumeration

Port 80: HTTP
37fb1a645dceaa01f697236eb7418865.png
The webpage above is displayed for this web application running on port 80.

fedbb2a800a9ffaff2bf62bd5ad95ec4.png
The source code of the page contains the HTML comment above. There is a possible username called john.

9f0d03b1cb52220bf2ce51fc0a495097.png
The /uploads directory is public accessible if the Uploads button is pressed on the website... It contains three files: dist.lst, manifesto.txt, and meme.jpg. The first file contains a list of possible passwords which is the most interesting. I saved this wordlist on my machine.

f2b4c8f3a05f839cca0e210c297537dd.png
Performing a directory search shows the entries above. The /secret sounds interesting.

9176c2a17bb2a810e6bd57a65d6aa218.png
The /secret page contains the SSH key above. Does this belong to the user john? This key is encrypted, so I will use ssh2john to obtain the passphrase. Maybe I can run it against the wordlist I encountered before.

1e006e1b50c1a6e403c668e385ec3bb2.png
I copied the SSH key to my machine and used ssh2john to crack the passphrase using the wordlist from before. I obtained the password letmein. I also changed the permission of the key to 400, so I can use it.


Exploitation

78b030bd740b2cf2a7ff1eea026da5d1.png
And now I have a foothold on the target machine using the SSH key belonging to the user john. Running id shows this user belongs to the group lxd which is an easy vector to gain root!


Privilege Escalation

14e3b827100174b6921d9e36fefa2623.png
Gaining a root shell is simple. I followed the guide from this article. The commands I exeucted are highlighted in yellow in the picture above.


Flags

4085530adb89733e6e7e1504aad049ee.png
The user.txt flag after gaining a foothold on the machine.

7162dda4a6263207c339d7bd5cd84c2c.png
The root.txt flag which is inside the mnt/root/root directory after exploiting the lxd group.